When iCloud becomes the Perfect Storm

A high-profile case of cloud hijacking and data vandalism has thrown new attention on iCloud, Amazon, Google and other big online names, as gaps in the ways security is handled potentially allow for hacking. Flaws in how Apple and Amazon handle account recovery have been blamed for the "digital destruction" of journalist Mat Honan's online life, following hackers' successful attempts to crack security on his iCloud account, gain access to his Gmail and Twitter, and then remotely lock and delete his MacBook, iPhone and iPad.

At fault - at least in part - was the inexact overlap between recovery policies for Apple and Amazon accounts, Honan writes. Although he himself shoulders the blame for the ensuing permanent loss of data - which comes down to not doing enough backups - a difference in opinion on how important the final four digits of a credit card number can be between Apple and Amazon proved the key with which the hack was achieved.

"Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification" Mat Honan

Apple gave Honan's hackers a temporary password to iCloud after they supplied his billing address and the last four digits of his credit card; the former was accessed from a WHOIS search, as Honan had used the address to register his personal site, and the latter through a manipulation of the Amazon account recovery system which reveals those digits of each saved card. The iCloud email account in question was identified via Gmail which, as Honan did not have two-factor authentication turned on, showed the partial recovery email address - m****n@me - which proved easy to guess in its entirety.

Those details allowed for unofficial iCloud access, and then everything in Honan's OS X and iOS connected life was up for grabs. The hackers locked him out of his devices and then wiped his data using the very tools provided in Find My Mac intended to help legitimate owners protect their information.

"If you have an AppleID, every time you call Pizza Hut, you’ve giving the 16-year-old on the other end of the line all he needs to take over your entire digital life" Mat Honan

Although each company with a cloud service worth mentioning has its own data protection policies, few users stick solely to one provider. Apple claims that some aspects of its security polices "were not followed completely" but would not say if it was reconsidering how Find My Mac or other aspects of its iCloud security works; Amazon is yet to comment.

The takeaway for most users is to backup - preferably using local and/or separate cloud storage from other cloud data services relied upon - and to turn on two-step verification on Google accounts. Don't link important accounts together, and consider having a completely separate account for recovery purposes.